Mobile route optimization authorization

ABSTRACT

The invention consists of the invention consists of a new route optimization authentication protocol. The current Mobile IPv6 protocols do not allow for optional control over the use of route optimization. The present invention allows for system control over whether route optimization is allowed or not allowed. The conditional allowance of route optimization solves several billing and security issues by allowing the system to impose appropriate charges for the route optimization feature or prevent route optimization where message flow using care-of addressing can be monitored.

RELATED APPLICATION DATA

This application is a continuation of Utility patent application Ser. No. 11/986,458, filed on Nov. 21, 2007, and priority is claimed for this earlier filing under 35 U.S.C. §120. This application is also related to Provisional Patent Application Ser. No. 60/866,891 filed on Nov. 22, 2006. Priority is claimed for this earlier filing under 35 U.S.C. §119(e). Both prior applications are incorporated by reference into this utility patent application.

TECHNICAL FIELD OF THE INVENTION

A route optimization authorization protocol for use on a packet-based mobile communication system.

BACKGROUND OF THE INVENTION

Present-day Internet communications represent the synthesis of technical developments begun in the 1960s. During that time period, the Defense Department developed a communication system to support communication between different United States military computer networks, and later a similar system was used to support communication between different research computer networks at United States universities.

The Internet

The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, Defense Department officials wanted to connect different types of military computer networks. These different computer networks could not communicate with each other because they used different types of operating systems or networking protocols.

While the Defense Department officials wanted a system that would permit communication between these different computer networks, they realized that a centralized interface system would be vulnerable to missile attack and sabotage. To avoid this vulnerability, the Defense Department required that the interface system be decentralized with no vulnerable failure points.

The Defense Department developed an interface protocol for communication between these different network computers. A few years later, the National Science Foundation (NSF) wanted to connect different types of network computers located at research institutions across the country. The NSF adopted the Defense Department's interface protocol for communication between the research computer networks. Ultimately, this combination of research computer networks would form the foundation of today's Internet.

Internet Protocols

The Defense Department's interface protocol was called the Internet Protocol (IP) standard. The IP standard now supports communication between computers and networks on the Internet. The IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services. The IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in this system.

A transmission protocol, called the Transmission Control Protocol (TCP), was developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a system or suite of protocols for data transfer and communication between computers on the Internet. The TCP/IP standard has become mandatory for use in all packet switching networks that connect or have the potential for utilizing connectivity across network or sub-network boundaries.

A computer operating on a network is assigned a unique physical address under the TCP/IP protocols. This is called an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the sub-network. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a sensible addressing scheme that reflects the internal organization of the network or sub-network. All information packets transmitted over the Internet will have a set of IP header fields containing this IP address.

A router is located on a network and is used to regulate the transmission of information packets into and out of computer networks and within sub-networks. Routers are referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity. A router interprets the logical address of an information packet and directs the information packet to its intended destination. Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and as such, these sub-network information packets will not clutter the transmission lines of the greater network. If an information packet is addressed to a computer outside the sub-network, the router forwards the packet onto the greater network.

The TCP/IP network includes protocols that define how routers will determine the transmittal path for data through the network. Routing decisions are based upon information in the IP header and entries maintained in a routing table. A routing table possesses information for a router to determine whether to accept the communicated information packet on behalf of a destination computer or pass the information packet onto another router in the network or sub-network. The routing table's address data enables the router to accurately forward the information packets.

The routing table can be configured manually with routing table entries or with a dynamic routing protocol. In a dynamic routing protocol, routers update routing information with periodic information packet transmissions to other routers on the network. This is referred to as advertising. The dynamic routing protocol accommodates changing network topologies, such as the network architecture, network structure, layout of routers, and interconnection between hosts and routers. Internet Control Message Protocol (ICMP) information packets are used to update routing tables with this changing system topology.

The IP-Based Mobility System

The Internet protocols were originally developed with an assumption that Internet users would be connected to a single, fixed network. With the advent of portable computers and cellular wireless communication systems, the movement of Internet users within a network and across network boundaries has become common. Because of this highly mobile Internet usage, the implicit design assumption of the Internet protocols has been violated.

In an IP-based mobile communication system, the mobile communication device (e.g. cellular phone, pager, computer, etc.) is called a mobile node. Typically, a mobile node changes its point of attachment to a foreign network while maintaining connectivity to its home network. A mobile node may also change its point of attachment between sub-networks in its home network or foreign network. The mobile node will always be associated with its home network and sub-network for IP addressing purposes and will have information routed to it by routers located on the home and foreign network. Generally, there is also usually a correspondence node, which may be mobile or fixed, communicating with the mobile node.

IP Mobility Protocols

During the formative years since the Internet was first established, Internet Protocol version 4 (IPv4) was recognized and adopted as the standard version of the Internet Protocol. With the advent of mobile IP and proliferation of computers and computer systems linked to the Internet, various limitations in the IPv4 standard and associated procedures have developed and emerged. In response, new standards are evolving and emerging.

The most pressing limitation in the IPv4 standard is the restriction on the number of possible IP addresses imposed by the 32-bit address field size. A newer standard, the Internet Protocol version 6 (IPV6), increases the size of the available address space 400% to 128 bits, which vastly increases the number of available addresses. While the 32-bit address field provides 2³² or approximately 4 billion IP address possibilities, a 128-bit field provides 2¹²⁸ (340×10¹²) IP address possibilities.

A number of benefits emerge from this vastly larger available address field. First, there is little chance of exhausting the number of IP addresses. Second, a large address field allows aggregation of many network-prefix routers into a single network-prefix router. Finally, the large address pool allows nodes to auto configure using simple mechanisms. One practical advantage as a result is elimination of designated foreign agents to route information packets to a visiting mobile node on a foreign network.

IP Mobility Care-of Addressing

In a mobile IP network, nodes will transmit notification and discovery information packets onto the network to advertise their presence on the network and solicit advertisements from other nodes. While on a foreign network, a mobile node will be assigned a care-of address that will be used to route information packets to the foreign network and the attached mobile node. An advertisement from a router on the foreign network will inform a mobile node that is attached to a foreign network. The mobile node will typically create a care-of address on the foreign network, which it will transmit to its home network in an information packet to register the care-of address. Information packets addressed to the mobile node on the home network have the care-of address added. This information packet containing the care-of address will then be forwarded and routed to the mobile node on the foreign network by a router on the foreign network according to the care-of address.

Authentication, Authorization and Accounting (“AAA”)

In an IP-based mobile communications system, the mobile node changes its point of attachment to the network while maintaining network connectivity. When a mobile node travels outside its home administrative domain, however, the mobile node must communicate through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the mobile node. This authentication, authorization, and accounting activity is called “AAA”, and AAA servers on the home and foreign network perform the AAA activities for each network.

Authentication is the process of proving one's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. The AAA server authenticates the identity of an authorized user and authorizes the mobile node's requested activity. Additionally, the AAA server will also provide the accounting function including tracking usage and charges for use of transmissions links between administrative domains.

Another function for the AAA server is to support secured transmission of information packets by storing and allocating security associations. Security associations refer to those encryption protocols, nonces, and keys required to specify and support encrypting an information packet transmission between two nodes in a secure format. The security associations are a collection of security contexts existing between the nodes that can be applied to the information packets exchanged between them. Each context indicates an authentication algorithm and mode, a shared or secret key or appropriate public/private key pair, and a style of replay protection.

Route Optimization

Route optimization allows the Mobile Node (MN) to establish a direct link a correspondent node instead of using a care-of address forwarding and encapsulation operation. Route optimization, as its name implies, optimizes the routing efficiency to a Mobile Node, and IPv6 protocol automatically establishes route optimization by default. Because the default procedures in IPv6 protocol, there is a lack of control over the selection and authorization of route optimization feature in the Mobile IPv6 protocol. In the prior art, there is no mechanism to control the route optimization feature. There is a need to control the route optimization feature to control billing options for subscriber charges. Moreover, there is also a security reason to prevent route optimization and force the user to forward transmissions through the home network for monitoring purposes, instead of permitting a direct link between the correspondent node and the mobile node (MN). There is a need for a mechanism to control the route optimization authorization feature.

SUMMARY OF THE INVENTION

The invention consists of a new route optimization authentication protocol. The current Mobile IPv6 protocols do not allow for optional control over the use of route optimization. The present invention allows for system control over whether route optimization is allowed or not allowed. The conditional allowance of route optimization solves several billing and security issues by allowing the system to impose appropriate charges for the route optimization feature or prevent route optimization where message flow (using care-of addressing) needs to be monitored through the home network.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects and features of the invention will become more readily understood from the following detailed description and appended claims when read in conjunction with the accompanying drawings in which like numerals represent like elements and in which:

FIG. 1 is a diagram of a mobile IP wireless communication network compatible with Mobile IPv6; and,

FIG. 2 is the message flow of the invention for authentication and authorization of the Mobile Node using the route optimization authentication option.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows an embodiment for a mobile IP cellular communication network compatible with Mobile IPv6 using the invention. A home network 105 consists of an Authentication, Authorization, and Accounting server 110. The server 110 is connected to a buss line 113 to a home agent (HA) 115. Communication link 117 connects the HA 115 to the Internet 120. A communication link 121 connects the Internet 120 to a Foreign Agent 130 on a visited network 125. Communication link 129 connects the Foreign Agent 130 to the Mobile Node (MN) 135, and this communication link includes a wireless connection. The Mobile Node 135 can be a communication device, such as a cellular phone, a computer, a router, a personal data assistant (PDA) and handheld terminal, or some other type of host.

The Mobile Node 135 is associated with the Home Agent 115. Information packets sent to the Mobile Node 135 on the home network 105 are routed to the Mobile Node 135 while linked to the foreign network 125. The Home Agent 115 stores an address association in its memory corresponding to the location of the Mobile Node 135 on the foreign network 125. The address association includes the Internet Protocol address of the Mobile Node 135 on the home network 105 and the care-of address corresponding to the topological location of the Foreign Agent 130. As the Mobile Node 135 moves from network to network, the various routing tables and other data tables must be updated to maintain communication with the Mobile Node 135 thereby ensuring the correct routing of information packets.

When Mobile Node 135 movement results in a change in connectivity, the Mobile Node's 135 care-of address must be updated so that the correct router associations on both the Home Agent 115 and the Foreign Agent 130 are maintained. Hand-off procedures involve assignment of a care-of address for the Home Agent 115 to transmit an information packet through the Internet 120, so that the Foreign Agent 130 can route the information packet to the connected Mobile Node 135.

A correspondent node (CN) 145 is coupled to the Home Agent (HA) 115 through communication link 150. When communicating to the MN 135, the correspondent node (CN) 145 initially communicates through the Home Agent (HA) 115. The Home Agent (HA) 115 uses care-of address and packet encapsulation to forward packets to the MN 135 through the visited network 125.

Route optimization allows the CN 145 to communicate directly with the MN 135 over communication link 153, instead of communicating indirectly with MN 135 through communication link 150, Home Agent 115, and the care-of forwarding process through the visited network 125. Such route optimization is always implemented as a mandatory feature in Mobile IPv6, but the route optimization needs to be controlled and authorized so that billings to the user can be adjusted if route optimization is allowed and security and monitoring features can be invoked by disallowing route optimization. By disallowing the route optimization, all messages between the correspondent node (CN) 145 and the mobile node (MN) 135 can be monitored at the home network 105.

In this manner, the route optimization authorization can be selectively activated or disallowed by the system protocols to accommodate these billing and security requirements of the system. The increased flexibility added to the system through the use of the present invention is significant, and the benefits achievable from the use of the invention are substantial.

FIG. 2 shows one embodiment of the message flow the present invention for authorization of route optimization during the authentication and authorization initialization process. The invention could also include a route optimization authorization as a purely periodic function or in response to a user or system initiated protocol. For the purposes of this preferred embodiment, the route optimization authorization will be explained in relation to the initialization process shown in FIG. 2.

As set forth therein, in step 205, the MN 135 generates a Binding Update (BU) message and transmits that message to the home agent (HA) 115. The BU 205 message tells the Home Agent (HA) 115 where the mobile node (MN) 135 is located. This location information would provide the Home Agent (HA) 115 with information on the visited network 125 supporting the communications to the MN 135. The care-of address information for this visited network 125 would be provided to the Home Agent (HA) 115, so that message forwarding can be conducted by the Home Agent 115.

The Home Agent 115 will transmit an authorization (AUTH) message 210 over communication link 113 to the AAA server 110. The AAA server 110 is the authorization, authentication and accounting server that maintains (as its name would imply) authentication information, accounting information, and authorization information for users associated with home network 105. The authorization (AUTH) message 210 will inquire from AAA server 110 whether the Mobile Node MN 135 initiating the Binding Update message 210 has been authenticated, and if so, if that MN 135 has an active account that is authorized to support mobile communications under Mobile IPv6 and whether route optimization is permitted to that Mobile Node (MN) 135. Also, accounting information and status codes can be provided for particular mobile nodes on the system. The authorization AUTH 210 message contains all the required identification information for the AAA server 110 to conduct its analysis of the Mobile Node MN 135.

In response to the authorization AUTH 210 message, the AAA server 110 will respond to the Home Agent 115 with an authorization AU Reply message 215. The AU Reply 215 message will provide the Home Agent 115 with an indicator of whether route optimization is authorized under Mobile IPv6 protocols, and whether or not route optimization is authorized for the mobile node MN 135.

If the communication protocol does not support communication to the Mobile Node MN 135 under Mobile IPv6, then route optimization will not be supported. The AAA server 110 will indicate that route optimization is not supported in the AU Reply message 215. The AU Reply 215 may include a separate attribute that indicates “MIPs=No” to show that Mobile IPv6 communications are not supported by the system for communications with Mobile Node MN 135.

If the communication protocol supports communication to the Mobile Node (MN) 135 under Mobile IPv6, then the AAA server 110 will designate in the AU Reply message 215 whether route optimization is authorized or not. The AU Reply message 215 could include a separate attribute in the AU Reply 215 that indicates “MIPs=Y” to show Mobile IPv6 protocols support communication with Mobile Node 135 and RO=Y to indicate that route optimization is supported for communications to Mobile Node MN 135. If route optimization is not supported to Mobile Node MN 135 for this type of communication, then the attributes would be set at “MIPs=Y” and “RO=N” to show Mobile IPv6 is supported, but route optimization is not authorized to Mobile Node MN 135.

As an alternative, there are codes in the AU Reply 215 that can be set to indicate whether route optimization is authorized or not authorized. For instance, a status code could be set to a value of less than 128 if route optimization is not authorized or above 128 if route optimization is authorized. This code would use as pre-existing attribute value in the AU Reply 215 packet, instead of creating a new attribute or modifying the existing data packet structure used in Mobile IPv6 protocols. Other types of codes or flags can be used in the existing packet structure of the Mobile IPv6 packet to indicate whether Mobile IPv6 is supported and whether or not route optimization is authorized.

After receiving the AU Reply 215 message, the home agent 115 communicates a Binding Update acknowledgement (BU Ack) 220 message to the Mobile Node 135. This BU Ack 220 message includes an indication of whether route optimization is supported or not. The indication of route optimization authorization can be shown as a separate attribute (e.g. “R.O.=Y” or “R.O.=N”) for a Mobile IPv6 packet or as a value for a pre-existing attribute (attribute <128 means “RO=No” or Attribute >128 means “RO=Yes”) in the Mobile IPv6 packet.

As an additional option, a code message can be communicated to the Mobile Node MN 135 from the home agent 115 to indicate whether route optimization is authorized and supported. The code message can indicate “MIPv6 authorization successful, but Route Optimization is Not Allowed,” “MIPv6 authorization not successful,” or “MIPv6 authorization successful and Route Optimization Allowed” depending on the communication protocol supported and the route optimization authorization.

If communications involving the Mobile Node 135 are supported under Mobile IPv6 and Route Optimization is authorized, then route optimization signaling messages (MSG1, MSG2, MSG3 and MSG4) are transmitted between the MN 135, the home agent HA 115, and the correspondent node CN 145 to initialize and initiate the route optimization communications. Specifically, if route optimization is authorized based on the receipt of the BU Ack 220 message, the Mobile Node 135 responds to the Home Agent HA 115 with MSG1 at step 222. The Home Agent HA 115 transmits a message MSG2 225 to the correspondent node 145, and the correspondent node 145 responds to the Home Agent HA 115 with message MSG3 230. The home agent HA 115 then signals the Mobile Node MN 135 with message MSG4 to complete the route optimization initialization communications. Thereafter, the route optimization communication traffic is transmitted directly between the Mobile Node MN 135 and the correspondent node CN 145 as shown in step 240. If route optimization is not permitted, then the communication traffic to the Mobile Node MN 135 from the correspondent node CN 145 is transmitted through the home agent HA 115 as shown in step 245.

While the invention has been particularly shown and described with respect to preferred embodiments, it will be readily understood that minor changes in the details of the invention may be made without departing from the spirit of the invention. 

Having described the invention, we claim:
 1. A communication system, comprising: a home network configured to cooperate with a foreign network, the home network comprising a home agent adapted to: determine, based on a message sent from a mobile node of the foreign network, whether route optimization protocols are to be initiated allowing direct communication between the mobile node and a correspondent node, or whether such route optimization protocols are to be denied so that communication between the correspondent node and the mobile node is routed through the home network; and confirm route optimization with a first acknowledgement message sent to the mobile node and a second acknowledgement message sent to the correspondent node, the second acknowledgement message including a route optimization status indicating to the correspondent node whether route optimization with the mobile node is permitted.
 2. The communication system of claim 1 wherein said home agent is adapted to make the route optimization determination with the assistance of an authentication, authorization, and accounting (AAA) server.
 3. The communication system of claim 1 wherein the home agent is adapted to receive a route optimization authorization message from the mobile node after confirming route optimization.
 4. The communication system of claim 1 wherein the home agent is adapted to receive a route optimization authorization status message from the correspondent node after confirming route optimization.
 5. The communication system of claim 1 wherein the route optimization authorization is indicated by a value of a pre-existing attribute in a packet transmission.
 6. The communication system of claim 1 wherein the availability of route optimization is communicated to the mobile node in a code message.
 7. A method implemented by a home agent, the method comprising: receiving, by the home agent, a binding update message from a mobile node; determining, by the home agent and based on the binding update message, whether route optimization is to be initiated allowing direct communication between the mobile node and a correspondent node, or whether such route optimization is to be denied so that communication between the mobile node and the correspondent node is to be routed through a home network; transmitting, by the home agent, a first acknowledgement message to the mobile node that indicates whether route optimization is authorized or not; and transmitting, by the home agent, a second acknowledgement message to the correspondent node, the second acknowledgement message including a route optimization status indicating to the correspondent node whether route optimization with the mobile node is permitted.
 8. The method of claim 7 wherein the route optimization determination is made with the assistance of an authentication, authorization, and accounting (AAA) server.
 9. The method of claim 7 further comprising the step of: receiving a route optimization message from the mobile node after confirming route optimization.
 10. The method of claim 7 further comprising the step of: receiving a route optimization message from the correspondent node after confirming route optimization.
 11. The method of claim 10 wherein the route optimization determination is made with the assistance of an authentication, authorization, and accounting (AAA) server.
 12. The method of claim 7 wherein the route optimization authorization status is communicated to the mobile node by a code message.
 13. The method of claim 7, wherein the determination of whether route optimization is to be initiated is made by sending a message to an authentication, authorization, and accounting (AAA) server, and receiving a response from the AAA server, the response from the AAA server indicating whether route optimization should be initiated or denied.
 14. A communication system, comprising: a home network configured to cooperate with a foreign network, the home network comprising a home agent adapted to: determine, based on a message sent from a mobile node of the foreign network, whether route optimization protocols are to be initiated allowing direct communications between the mobile node and a correspondent node, or whether such route optimization protocols are to be denied so that communication between the correspondent node and the mobile node is routed through the home network; communicate route optimization authorization status to the mobile node by a first acknowledgement message; and communicate route optimization authorization status to the correspondent node by a second acknowledgement message, the status indicating whether route optimization with the mobile node is permitted.
 15. The communication system of claim 14 wherein the home agent is adapted to make the route optimization determination with the assistance of an authentication, authorization, and accounting (AAA) server.
 16. The communication system of claim 14 wherein the home agent is adapted to receive a route optimization authorization message from the mobile node after confirming route optimization.
 17. The communication system of claim 16 wherein the home agent is adapted to receive a route optimization authorization message from the correspondent node after confirming route optimization.
 18. The communication system of claim 16 wherein the route optimization authorization status is indicated by a value of pre-existing attribute in a packet transmission.
 19. The communication system of claim 16 wherein the availability of route optimization is communicated to the mobile node in a code message.
 20. The communication system of claim 16 wherein the home agent is adapted to make the route optimization determination with the assistance of an authentication, authorization, and accounting (AAA) server. 